Due to its prevalence in today's society and popularity for connecting financial resources and data sources, the internet and connected networks have become a hub for criminal activity. To detect, monitor, and learn about criminal behavior, security personnel often implement one or more honeypot devices within a network. Honeypot devices are security mechanisms that can appear to be attractive targets to an outside observer (e.g., a threat actor), but nonetheless monitor the threat actor's behavior and may assist in defending the network from the threat actor.
Existing honeypot devices generally collect, log, and transmit data for further analysis by a security researcher. These honeypot devices can vary in their complexity and functionality. For example, honeypot devices may be low interaction data collectors that only emulate services, or high interaction honeypot devices that capture attacker interactions through accessible operating systems and applications.
Oftentimes, however, honeypot devices are deployed statically to a single location. This makes them identifiable over time. Once a threat actor identifies a device as a honeypot device, they may take steps to avoid the device in future activity, thereby rendering the honeypot device ineffective.
While these static honeypots are likely to collect internet traffic and scan noise, they are unlikely to elicit interesting and useful data regarding targeted attacks. Furthermore, the lack of reactive honeypot actions based on prior attack(s) and internet scan data limits the usefulness of the data collected.
A need exists, therefore, for methods and systems that overcome the above disadvantages of existing honeypot devices.